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L14: Entry 10 of 21 File: USPT Mar 25, 2003 



DOCUMENT- IDENTIFIER: US 653 93 79 Bl 

** See image for Certificate of Correction ** 

TITLE: Method and apparatus for implementing a corporate directory and service 
center 



Brief Summary Text (7) : 

One relatively recently available method for storage of information is use of a 
directory server and a lightweight directory access protocol (LDAP) . A directory 
server stores data entries in name-value or attribute -value pairs. Utilizing LDAP, 
queries can be made of the directory server, thereby locating a set of data entries 
which match the query. As a result, the information often stored in databases may 
be stored in a medium accessible to a directory server, and queries may be used to 
access this information. However, the directory server does not feature the strong 
typing capabilities that databases do. As an example, a data entry intended to be a 
telephone number, named "phone" and intended to store only numeric values, will 
store the value "four -one -five" just as easily as it will store "415" in a 
directory server. Likewise, a database may allow a restriction on the size of a 
field of characters, whereas the directory server may store the data as a string of 
ASCII characters, but not limit the length of the string. 

Drawing Description Text (3) : 

FIG. 1A illustrates some of the information associated with an exemplary employee 
as it might be stored in a database such as a directory server. 

Detailed Description Text (5) : 

Turning to FIG. 1A, some of the information associated with an exemplary employee 
as it may be stored in a database such as a directory server is illustrated. The 
information is stored in a data entry, with a unique identifier by which the data 
entry may be accessed. This unique identifier may also be referred to as a 
distinguished name or dn. In one embodiment, this identifier includes the name of 
the employee, and the organization in which the employee works. The information 
actually stored may include data items such as a picture 110 (such as a JPEG file, 
for example), a Name 112, Title 114, Phone Number 116, Email Address 118, Office 
location 12 0, Fax number 122, Cell phone number 124, Pager number 12 6, Webpage 
address 128, Manager name 130, Assistant 132, Department 134, Building 138, Address 
140 (or mail stop for example), SSN 142 (Social Security Number), Salary 144, Home 
Phone number 146, and Home Address 148. Note that each employee might not have 
information stored for each item listed above, and other items may be added to the 
data entry. Also, each data item may have its own format, such that the data stored 
in Phone number 116, Fax number 122 and Cell phone number 124 are all alphanumeric, 
whereas the information stored in a data items such as Name 112 is alphabetic only. 
Direct Reports 136 represent a special case, in that in one embodiment Direct 
Reports 136 is not actually stored in the data entry, but is derived from other 
data entries that make reference to the data entry in question. In an alternative 
embodiment, the value of Direct Reports 136 may be stored in the data entry, either 
as unique identifiers referring to the direct reports, or as names of the direct 
reports, for example. 

Detailed Description Text (75) : 

Likewise, access control may be as granular as necessary, such that in one 
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embodiment access may be granted to sets of data entries or single data entries on 
an attribute by attribute basis. Furthermore, in one embodiment, access control may 
be determined b y rules in the form of queries, similar to the queries of FIGS. 5A 
and 5B above. Thus, a query may be formed such as Manager="Lou Reed", and those 
employees reporting to Lou Reed 3108 (the CIO) may have access to all . information. 
Additionally, access control may be separated such that most employees have access 
for viewing but not for requesting changes, or for viewing and requesting but not 
approving changes. A first employee may be able to view information about John 
Smith 1066, whereas a second employee may be able to view and request changes of 
information about John Smith 1066 and a third employee may be able to approve such 
changes . 

Field of Search Class/SubClass (1) : 
707/2 

US Reference US Original Classification (11) : 
707/2 

US Reference Group (11) : 
6189003 20010200 Leal 707/2. 
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File: USPT 



L6: Entry 11 of 11 
US-PAT-NO: 6772157 

DOCUMENT- IDENTIFIER: US 6772157 B2 



TITLE: Delegated administration of information in a database directory 
DATE -ISSUED: August 3, 2 004 



Aug 3, 2004 



INVENTOR- INFORMATION : 
NAME 

Barnett; Janet Arlie 
Vivier; Barbara Jean 
Aggour; Kareem Sherif 
Kornfein; Mark Mitchell 



CITY STATE 

Pattersonville NY 

Niskayuna NY 

Schenectady NY 

Latham NY 



ZIP CODE 



COUNTRY 



US -CL- CURRENT: 707/9; 707/10, 709 /206, 709/229, 709/246, 726/1, 726/3 
CLAIMS : 

What is claimed is : 

1. A method for managing information associated with a user community, 
comprising: specifying the information associated with the user community into 
at least one administrative domain, wherein the at least one administrative 
domain is a managed object that comprises a set of users , a set of modifiable 
user attributes and a set of allowable values for the user attributes; 
granting administrative privileges for managing the information associated 
with the user community according to the set of users, attributes and 
allowable attribute values specified for the at least one administrative 
domain, wherein the administrative privileges include at least one of 
delegation authority and edit authority; and specifying the at least one 
administrative domain into administrative sub -domains each having a set of 
users, attributes and allowable attribute values and granting administrative 
privileges for administrating the user community information associated with 
each sub -domain, wherein the specifying and granting continue to an arbitrary 
level with respect to the at least one administrative domain . 

2. The method according to claim 1, wherein the administrative privileges for 
administrating the user community information associated with each sub -domain 
includes at least one of delegation authority and edit authority. 

3. The method according to claim 1, further comprising delegating the granted 
administrative privileges for the at least one administrative domain and 
administrative sub -domains . 

4. A method for providing delegated administration of a user community, 
comprising: dividing the user community into at least one administrative 
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domain , wherein the at least one administrative domain is a managed object 
that comprises a set of users, a set of modifiable user attributes and a set 
of allowable values for the user attributes; granting administrative 
privileges to an administrator for managing user community information 
according to the set of users, attributes and allowable attribute values 
specified for the at least one administrative domain, wherein the 
administrative privileges include at least one of delegation authority and 
edit authority; and delegating the granted administrative privileges from the 
administrator to another administrator for managing user community information 
associated with the at least one administrative domain . 

5. The method according to claim 4, further comprising dividing the at least 
one administrative domain into administrative sub -domains each having a set of 
users, attributes and allowable attribute values. 

6. The method according to claim 5, further comprising delegating the granted 
administrative privileges to other administrators for managing user community 
information associated with the administrative sub -domains . 

7. The method according to claim 4, further comprising delegating the granted 
administrative privileges to additional administrators for managing user 
community information associated with the at least one administrative domain . 

8. The method according to claim 4, further comprising dividing the at least 
one administrative domain into administrative sub -domains each having a set of 
users, attributes and allowable attribute values and delegating administrative 
privileges for managing user community information associated with each 
domain, wherein the dividing and delegating continue to an arbitrary level 
with respect to the at least one administrative domain. 

9. A method for providing delegated administration of a user community with a 
client system, comprising: dividing the user community into at least one 
administrative domain, wherein the at least one administrative domain is a 
managed object that comprises a set of users, a set of modifiable user 
attributes and a set of allowable values for the user attributes; granting 
administrative privileges to an administrator for managing user community 
information according to the set of users, attributes and allowable attribute 
values specified for the at least one administrative domain, wherein the 
administrative privileges include at least one of delegation authority and 
edit authority; dividing the at least one administrative domain into 
administrative sub -domains each having set of users, attributes and allowable 
attribute values; and delegating the granted administrative privileges from 
the administrator to other administrators for managing user community 
information associated with the administrative sub -domains . 

10. The method according to claim 9, further comprising dividing the 
administrative sub -domains into more domains each having a set of users, 
attributes and allowable attribute values and delegating administrative 
privileges for managing user community information associated with each of 
these domains , wherein the dividing and delegating continue to an arbitrary 
level with respect to the at least one administrative domain . 

11. The method according to claim 9, wherein the delegating of granted 
administrative privileges comprises having an administrator with delegation 
authority delegating at least one of delegation authority and edit authority 
and an administrator with edit authority delegating edit authority. 

12. A method for enabling an administrator to control administration of 
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information associated with a user community, comprising: providing the 
information associated with the user community to the administrator; prompting 
the administrator to define at least one administrative domain for the user 
community, wherein the at least one administrative domain is a managed object 
that comprises a set of users, a set of modifiable user attributes and a set 
of allowable values for the user attributes; prompting the administrator to 
define administrative privileges for managing user community information 
according to the set of users, attributes and allowable attribute values 
defined for the at least one administrative domain, wherein the administrative 
privileges include at least one of delegation authority and edit authority; 
and using the at least one administrative domain and administrative privileges 
defined by the administrator to control administration of the information 
associated with the user community . 

13. The method according to claim 12, further comprising prompting the 
administrator to divide the at least one administrative domain into 
administrative sub -domains each having a set of users , attributes and 
allowable attribute values. 

14. The method according to claim 13, further comprising prompting the 
administrator to delegate the granted administrative privileges from the 
administrator to other administrators for the administrative sub -domains . 

15. The method according to claim 14, further comprising prompting the 
administrator to divide the administrative sub -domains into more domains each 
having a set of users, attributes and allowable attribute values and delegate 
administrative privileges for managing user community information associated 
with each of these domains, wherein the prompting to divide and delegate 
continues to an arbitrary level with respect to the at least one 
administrative domain . 

16. A method for enabling an administrator to delegate administrative control 
of a user community, comprising: providing information associated with the 
user community ; prompting the administrator to define at least one 
administrative domain for the user community, wherein the at least one 
administrative domain is a managed object that comprises a set of users, a set 
of modifiable user attributes and a set of allowable values for the user 
attributes; prompting the administrator to define administrative privileges 
for managing user community information according to the set of users, 
attributes and allowable attribute values defined for the at least one 
administrative domain, wherein the administrative privileges include at least 
one of delegation authority and edit authority; prompting the administrator to 
divide the at least one administrative domain into administrative sub -domains 
each having a set of users, attributes and allowable attribute values; 
prompting the administrator to delegate the granted administrative privileges 
from the administrator to other administrators for managing user community 
information associated with the administrative sub -domains ; and using the 
administrative domains and administrative privileges to control administration 
of the information associated with the user community . 

17. A user community administration tool for managing information associated 
with a user community, comprising: a domain definition component that defines 
the user community into at least one administrative domain, wherein the at 
least one administrative domain is a managed object that comprises a set of 
users, a set of modifiable user attributes and a set of allowable values for 
the user attributes; an administrative privileges component that grants 
administrative privileges for managing user community information according to 
the set of users , attributes and allowable attribute values defined for the at 
least one administrative domain, wherein the administrative privileges include 
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at least one of delegation authority and edit authority; and an information 
management component that manages user community information associated with 
the at least one administrative domain in accordance with the granted 
administrative privileges. 

18. The tool according to claim 17, wherein the domain definition component 
specifies the at least one administrative domain into administrative sub^ 
domains each having a set of users, attributes and allowable attribute values. 

19. The tool according to claim 18, wherein the administrative privileges 
component delegates the administrative privileges for managing user community 
information associated with the administrative sub -domains . 

20. The tool according to claim 17, wherein the administrative privileges 
component delegates the granted administrative privileges for managing user 
community information associated with the at least one administrative domain. 

21. The tool according to claim 17, wherein the domain definition component 
specifies administrative sub -domains each having a set of users, attributes 
and allowable attribute values and the administrative privileges component 
delegates the administrative privileges for managing user community 
information associated with the domains to an arbitrary level with respect to 
the at least one administrative domain . 

22. A system for managing information associated with a user community, 
comprising: a database directory containing a plurality of user information; a 
user community administration tool to manage the plurality of user information 
in the database directory; the user community administration tool comprising a 
domain definition component to define the user community into at least one 
administrative domain, wherein the at least one administrative domain is a 
managed object that comprises a set of users, a set of modifiable user 
attributes and a set of allowable values for the user attributes; an 
administrative privileges component to grant administrative privileges for 
managing user community information according to the set of users, attributes 
and allowable attribute values defined for the at least one administrative 
domain, wherein the administrative privileges include at least one of 
delegation authority and edit authority; and an information management 
component to manage user community information associated with the at least 
one administrative domain in accordance with the granted administrative 
privileges; and a first computing unit configured to serve the user community 
administration tool and the database directory. 

23. The system according to claim 22, wherein the domain definition component 
specifies the at least one administrative domain into administrative sub^ 
domains each having a set of users, attributes and allowable attribute values. 

24. The system according to claim 23, wherein the administrative privileges 
component delegates the administrative privileges for managing user community 
information associated with the administrative sub -domains . 

25. The system according to claim 22, wherein the administrative privileges 
component delegates the granted administrative privileges for managing user 
community information associated with the at least one administrative domain. 

26. The system according to claim 22, further comprising a second computing 
unit configured to execute the user community administration tool served from 
the first computing unit over a network. 
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27. A system for managing information associated with a user community, 
comprising: a database directory containing a plurality of user information; a 
user community administration tool to manage the plurality of user information 
in the database directory; the user community administration tool comprising a 
domain definition component to define the user community into at least one 
administrative domain, wherein the at least one administrative domain is a 
managed object that comprises a set of users, a set of modifiable user 
attributes and a set of allowable values for the user attributes; an 
administrative privileges component to grant administrative privileges for 
managing user community information according to the set of users, attributes 
and allowable attribute values defined for the at least one administrative 
domain, wherein the administrative privileges include at least one of 
delegation authority and edit authority; and an information management 
component to manage user community information associated with the at least 
one administrative domain in accordance with the granted administrative 
privileges; a first computing unit configured to execute the user community 
administration tool; a network; and a second computing unit configured to 
serve the database directory and the user community administration tool to the 
first computing unit over the network. 

28. A user community administration tool for providing delegated 
administration of a user community, comprising: means for dividing the user 
community into at least one administrative domain, wherein the at least one 
administrative domain is a managed object that comprises a set of users, a set 
of modifiable user attributes and a set of allowable values for the user . 
attributes; means for granting administrative privileges to an administrator 
for managing user community information according to the set of users, 
attributes and allowable attribute values specified for the at least one 
administrative domain, wherein the administrative privileges include at least 
one of delegation authority and edit authority; and means for delegating the 
granted administrative privileges to another administrator for managing user 
community information associated with the at least one administrative domain. 

29. The tool according to claim 28, further comprising means for dividing the 
at least one administrative domain into administrative sub -domains each having 
a set of users, attributes and allowable attribute values. 

30. The tool according to claim 29, further comprising means for delegating 
the granted administrative privileges to other administrators for managing 
user community information associated with the administrative sub -domains, 
wherein an administrator with delegation authority delegates at least one of 
delegation authority and edit authority, while an administrator with edit 
authority delegates edit authority. 

31. The tool according to claim 28, further comprising means for delegating 
the granted administrative privileges to additional administrators for 
managing user community information associated with the at least one 
administrative domain . 

32. A system for providing delegated administrative control of a user 
community, comprising: a database directory containing a plurality of user 
information associated with the user community: and a user community 
administration tool to facilitate administrative control of the user 
information in the database directory; the user community administration tool 
comprising a domain definition component to define the user community into at 
least one administrative domain, wherein the at least one administrative 
domain is a managed object that comprises a set of users, a set of modifiable 
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user attributes and a set of allowable values for the user attributes; an 
administrative privileges component to grant administrative privileges for 
managing user community information according to the set of users, attributes 
and allowable attribute values defined for the at least one administrative 
domain, wherein the administrative privileges include at least one of 
delegation authority and edit authority; and an information management 
component to manage user community information associated with the at least 
one administrative domain in accordance with the granted administrative 
privileges . 

33. The system according to claim 32, wherein the domain definition component 
divides the at least one administrative domain into administrative sub -domains 
each having a set of users, attributes and allowable attribute values. 

34. The system according to claim 33, wherein the administrative privileges 
component delegates the administrative privileges to an arbitrary level of 
administrators for managing user community information associated with the 
administrative sub -domains . 

35. The system according to claim 32, wherein the administrative privileges 
component delegates the granted administrative privileges from the 
administrator to other administrators for managing user community information 
associated with the at least one administrative domain . 

36. A computer- readable medium storing computer instructions for instructing a 
computer system to provide delegated administration of a user community, the 
computer instructions comprising: dividing the user community into at least 
one administrative domain, wherein the at least one administrative domain is a 
managed object that comprises a set of users, a set of modifiable user 
attributes and a set of allowable values for the user attributes; granting 
administrative privileges to an administrator for managing user community 
information according to the set of users, attributes and allowable attribute 
values defined for the at least one administrative domain, wherein the 
administrative privileges include at least one of delegation authority and 
edit authority; and delegating the granted administrative privileges to 
another administrator for managing user community information associated with 
the at least one administrative domain . 

37. The computer-readable medium according to claim 36, further comprising 
instructions for dividing the at least one administrative domain into 
administrative sub -domains each having a set of users, attributes and 
allowable attribute values. 

38. The computer-readable medium according to claim 37, further comprising 
instructions for delegating the granted administrative privileges to other 
administrators for managing user community information associated with the 
administrative sub -domains . 

39. The computer-readable medium according to claim 36, further comprising 
instructions for delegating the granted administrative privileges to 
additional administrators for managing user community information associated 
with the at least one administrative domain . 

40. The computer- readable medium according to claim 36, further comprising 
instructions for dividing the at least one administrative domain into 
administrative sub -domains each having a set of users, attributes and 
allowable attribute values and delegating administrative privileges for 
managing user community information associated with each domain, wherein the 
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dividing and delegating continue to an arbitrary level with respect to the at 
least one administrative domain . 

41. The computer-readable medium according to claim 36, further comprising 
instructions for managing user community information associated with the at 
least one administrative domain according to the delegated administrative 
privileges. 

42. A computer-readable medium storing computer instructions for instructing a 
computer system to provide delegated administration of a user community, the 
computer instructions comprising: dividing the user community into at least 
one administrative domain, wherein the at least one administrative domain is a 
managed object that comprises a set of users, a set of modifiable user 
attributes and a set of allowable values for the user attributes; granting 
administrative privileges to an administrator for managing user community 
information according to the set of users, attributes and allowable attribute 
values defined for the at least one administrative domain, wherein the 
administrative privileges include at least one of delegation authority and 
edit authority; dividing the at least one administrative domain into 
administrative sub -domains each having a set of users, attributes and 
allowable attribute values; and delegating the granted administrative 
privileges from the administrator to other administrators for managing user 
community information associated with the administrative sub -domains . 

43. The computer- readable medium according to claim 42, further comprising 
instructions for dividing the administrative sub -domains into more domains 
each having a set of users, attributes and allowable attribute values and 
delegating administrative privileges for managing user community information 
associated with each of these domains , wherein the dividing and delegating 
continue to an arbitrary level with respect to the at least one administrative 
domain . 

44 . A computer-readable medium storing computer instructions for instructing a 
computer system to enable an administrator to control administration of a user 
community, the computer instructions comprising: providing information 
associated with the user community to the administrator; prompting the 
administrator to define at least one administrative domain for the user 
community, wherein the at least one administrative domain is a managed object 
that comprises a set of users, a set of modifiable user attributes and a set 
of allowable values for the user attributes; prompting the administrator to 
define administrative privileges for managing user community information 
according to the set of users, attributes and allowable attribute values 
defined for the at least one administrative domain, wherein the administrative 
privileges include at least one of delegation authority and edit authority; 
and using the at least one administrative domain and administrative privileges 
defined by the administrator to control administration of the information 
associated with the user community . 

45. The computer-readable medium according to claim 44, further comprising 
instructions for prompting the administrator to divide the at least one 
administrative domain into administrative sub -domains each having a set of 
users, attributes and allowable attribute values. 

46. The computer-readable medium according to claim 45, further comprising 
instructions for prompting the administrator to delegate the granted 
administrative privileges from the administrator to other administrators for 
managing user community information associated with the administrative sub^ 
domains . 
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47. The computer -readable medium according to claim 46, further comprising 
instructions for prompting the administrator to divide the administrative sufc^ 
domains into more domains each having a set of users, attributes and allowable 
attribute values and delegate administrative privileges for managing user 
community information associated with each of these domains , wherein the 
prompting to divide and delegate continues to an arbitrary level with respect 
to the at least one administrative domain . 

48. A computer-readable medium containing computer instructions for 
instructing a computer system to enable an administrator to delegate 
administration control of a user community, the computer instructions 
comprising: providing information associated with the user community ; 
prompting the administrator to define at least one administrative domain for 
the user community, wherein the at least one administrative domain is a 
managed object that comprises a set of users, a set of modifiable user 
attributes and a set of allowable values for the user attributes; prompting 
the administrator to define administrative privileges for managing user 
community information according to the set of users, attributes and allowable 
attribute values defined for the at least one administrative domain, wherein 
the administrative privileges include at least one of delegation authority and 
edit authority; prompting the administrator to divide the at least one 
administrative domain into administrative sub -domains each having a set of 
users, attributes and allowable attribute values; prompting the administrator 
to delegate the granted administrative privileges from the administrator to 
other administrators for managing user community information associated with 
the administrative sub -domains ; and using the at least one administrative 
domain and administrative sub -domains and administrative privileges and 
delegated privileges defined by the administrator to control administration of 
the information associated with the user community . 
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